cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPGUI SSO Kerberos - 1 UNIX box - 3 SAP instances

Go to solution
former_member463397
Explorer

on ‎12-08-2009 9:06 AM

0 Kudos

Hello,

we succesfully enabled SSO using kerberos on 1 SAP instance.

We now try to enable SSO on a second SAP instance, which is on the same physical UNIX box.

SAPGUI error : "SAP system Message:"

Error in the Windows event log :

A Kerberos Error Message was received:

on logon session

Client Time:

Server Time: 8:43:34.0000 12/8/2009 Z

Error Code: 0x1b Unknown Error

Extended Error:

Client Realm:

Client Name:

Server Realm: DOMAIN.COM

Server Name: user

Target Name: user @ DOMAIN.COM

Error Text:

File: 9

Line: efb

Error Data is in record data.

configuration :

p:SAPService/server1.domain.com @ DOMAIN.COM

p:SAPService/server2.domain.com @ DOMAIN.COM

(I had to add a space to @ otherwise I cannot post this message on the forum)

Is it a problem we used SAPService 2 times ?

Or should we use 2 different names here ?

For the rest we cannot think of another reason.

Thank you for your feedback

Hans

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

nelis
Active Contributor
‎12-08-2009 10:55 AM
0 Kudos 
Is it a problem we used SAPService 2 times ?
Or should we use 2 different names here ?

If both SAPService's are using the same domain then I think it will be a problem using the same name, if the domain is different then it shouldn't matter.

If it's the same domain used for each SAP instance on the same Unix "box" then I have to ask why are you using two seperate SPN's ?

--

Nelis

Show replies
Show replies
former_member463397
Explorer
‎12-08-2009 11:27 AM
0 Kudos

Hi Nelis,

thank you for your feedback

yes, all machines are in the same domain.

We have 1 UNIX box which has a DNS name.

Each SAP instance also has a virtual DNS name.

So in fact each sap instance has a different hostname, therefore I assume we need to use

different SPN's no ?

or will the phyicial DNS name of the box be sufficient ?

thank you for your time

Hans

nelis
Active Contributor
‎12-08-2009 11:42 AM
0 Kudos 
So in fact each sap instance has a different hostname, therefore I assume we need to use
different SPN's no ?
or will the phyicial DNS name of the box be sufficient ?

From what I remember you only require the physical DNS name of the actual Unix server.

So when you register the SPN you use something like:


setspn -A SAPService/<physical server full dns name> <DOMAIN>\<service user>

Then you export the key and import it into your Unix "box". You can then copy the generated key file to each application server and all instances on the same machine use the same SPN/key file(if it's the same domain). So all authentication will be seen to be coming from the same system.

--

Nelis

former_member463397
Explorer
‎12-09-2009 7:55 AM
0 Kudos

Hi Nelis,

this did the trick.

We ran the commands for the physical server id and this worked.

Next topic where I can use your help.

Normally users should be edited in SU01 to enter the SNC data.

This information is added to table USRACL

Do you have knowledge how we can automate this ?

(or how we can do this in bulk)

Thank you for your help

Hans

nelis
Active Contributor
‎12-09-2009 8:03 AM
0 Kudos 
Normally users should be edited in SU01 to enter the SNC data.
This information is added to table USRACL
Do you have knowledge how we can automate this ?
(or how we can do this in bulk)

Yes, you can use report RSUSR300 for this.

--

Nelis

former_member463397
Explorer
‎12-09-2009 9:13 AM
0 Kudos

Nelis, I would like to thank you for your help !

it's appreciated

Hans

Former Member
‎02-04-2010 6:20 PM
0 Kudos

Where did you download the snd/gssapi_lib from? I am assuming you are running with a libgssapi_krb5.so in unix?

Former Member
‎06-02-2011 7:49 PM
0 Kudos

Hi,

We are planning to have SSO for Kerberos (Windows AD) in the following scenario:

ABAP and Java Systems. Please let me know the details / docs for the same .

Regars,

Amar

Answers (3)

Answers (3)

Former Member
‎11-08-2012 4:20 PM
0 Kudos

Hello Andy,

Please Refer the below link.

http://scn.sap.com/thread/3262668

Hope that would help you.

Let me know if you need more info.

Cheers,

Nick

Show replies
Show replies
former_member199849
Participant
‎08-01-2012 9:12 PM
0 Kudos

Hi hans

Please can you share information about configuration SSO for Unix System?

In my case We have ERP in AIX servers and we want to do SSO with AD (Windows), for aix, unix is there a special library for kerberos? or how is the configuration?

thanks

Andy

Show replies
Show replies
Former Member
‎11-07-2012 12:09 PM
0 Kudos

Hello Andy,

We have successfully configured the Single Sign on (SSO) on our Development and Quality systems using kerberos. These two systems are central systems(No application server attached it.). We have tested the functionality and is working fine.

@ all,

Now we have to configure the same setup in Production system where it has an application server which also works as fail-over node. How do I do here?  Could someone of you confirm on the below points.

1) Do I need to Install the kerberos on both Central Instance and Dialogue Instance.?

2) Do I need to generated 2 separate keytabs in AD for CI and DI?

3) Do I have to set the SPN 2 times (CI & DI) for the same user id?

3) Do I need to maintain the SNC parameters in Instance profile of both CI and DI?

4) I have a logon group created and assigned to both CI and DI. In normal case the load balancing happens. What all the changes that I need to in saplogon.ini do if I have to have the same load balancing mechanism even after implementing SSO?

Please clarify them in detail. I would really much appreciate all your help.

Thanks,

Nick S

former_member199849
Participant
‎11-07-2012 5:35 PM
0 Kudos

Hi Nick

Could you share the procedure that you follow in order to setp SSO between SAPGUI and Unix, please? I onlye set SSO for Java System and not for ABAP Unix systems

About your questions I guess that you have to set SSO in CI and DI, for example I configured SSO for Portal 7.3 (CI and DI) in AD I set the SPN service for each server, but there is no load balancing, yet.

So I guess it's the same for abap, you have to do it for each server.

Regards

Andy

Former Member
‎06-13-2011 8:16 AM
0 Kudos

Hello Hans,

I am glad to hear that it is possible - to create SSO using Kerberos for SAP on Unix.

I have a task - allow automatic logon to SAP (AIX, DB2) from Windows workstation. I am trying to find any documentation, but without result. I found little bit about situation - SAP on Windows server, but this didn't help.

May I ask you to send some info/docs about required steps to configure SSO with Kerberos? Where to find Kerberos library for AIX? What I need to install on workstations?

Thanks,

Ilgvars

Show replies
Show replies
Ask a Question